-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3410
   Red Hat OpenShift Service Mesh 1.1 servicemesh-proxy security update
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Service Mesh 1.1 servicemesh-proxy
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25017  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4129

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh 1.1 servicemesh-proxy security update
Advisory ID:       RHSA-2020:4129-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4129
Issue date:        2020-09-30
CVE Names:         CVE-2020-25017 
=====================================================================

1. Summary:

An update for servicemesh-proxy is now available for OpenShift Service Mesh
1.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 1.1 - x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

Security Fix(es):

* envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests
(CVE-2020-25017)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/serviceme
sh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1877613 - CVE-2020-25017 envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests

6. Package List:

OpenShift Service Mesh 1.1:

Source:
servicemesh-proxy-1.1.9-1.el8.src.rpm

x86_64:
servicemesh-proxy-1.1.9-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25017
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3SE5tzjgjWX9erEAQi7OA//ayUfY2vpPfSZbgbfbLcTixXGZwXXoHZ1
TiFmcsuN9jqf6IuzHsxXnPcDg4MeYLsU0bzqn36b73rHj1NQFsXBz3OO1VUit85i
l17SZ3qoOpUxV1Yr6yDw1TCNZDs84wQCIaKEovegjBND8WNwnOV3T+Igp9zheE45
9U7D82QG+fzXJ4A0BUd1zN+wjsrzHyLbZPDrv6QBEyZyZf2/Kzlv4WJLgLDCtf5S
K/EYdzMKpOOt87tqRfs63Tfea3gYlpaa6Crw8HbI4fzFw6+xa/Isp7Wxc4gkjdoS
82fk8jgOzZ7nfHGvkwue7oTbuOSCWGqULOCXEDQN1ms4ht0V0ILHqL9yedzSaO/y
qXSQkCCCPvxlV1noMoYffwJeiVNghlHFXkx9Y8wjzGj2Dcxbb430a4rofgJ9KcmQ
SFGAwODziwIBdxaKerrLJK+b5FfBkUrJybt0uOkVp9c9hsadatQBsDoA726812Dh
R7Hw3Cw/rs2ecBaN7NDwk35d0JiLc1EXXsshb6mVjkunrHotvfl7/aFaVSJcut+a
wBHo2BW6bHa3bEqS24JwGCBkT3/9XUMlMFTwO0/qsBj9a0VtQ4taV+/rJNGhxaVV
fSCsAIxG0MemUo7O8SKFc5s9eGsL3P/ediPcT5rqpUZ+VWAfAe1SCaMlIjdu0A5f
Q8WRrEMt3vM=
=aPum
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3UoveNLKJtyKPYoAQgSThAAkYmMHvJO24asV/8e6noOdYXYuUeRSiFv
3jhtc21bcWNjy2YbubsjCg/j2iqaYlvZ6MN6iKxy6DA2qNWZSyEObfDHsnEfmW+s
kkr6moj/nv6YqxOmGhsaovnUS5z5ziwxcPG1Twp5dUhTnKWxJZaF0kCxk6bLnmWw
hABKH5g6oNAhfE9befbFF5j9yKf1hTkiSMrW5rO1SVK3BEgioHbTgjab0aqCAdR/
JcfhM1POW8KGR4jfBzo7uH+HYu6a7PvfJyjoEW+byQxsMexfRO3LxDWf9sQN2vk2
aAGPAQQcA7DIrJNSGppnDjWAq5q3tHsDQqLi88Zh6lhDDO+W6+igZVsycEc1W3w7
DHhMhgSmpi7j1BcwPzE1Hz8YIdxhWt5gMbzTMUbGTiOvdnr7TZRLdJLSXTkGPThf
UK7vaT91IT8/6I1qbsUp8igqL03X/CRD1l5IEVSGBKyQFAwik47GcfLDS9zYlI9m
5WoNhKnEpLhPOjlS6VCeZlUDS5w57CZrq0pdzLHmNDO5+709v+/XpEPBjvC9YzwD
J2HRN/ZPaSlr1KpXiGZQbixydlgO7ytK1o9DYc5r5gYSjWei5/7XgasREPxhnUm4
Zmij8eppuUa7KM2yJJ9YiAtbEmN63UTUL3AYYj56gnYT8y1ovQDGc6RhtRGElusz
HbtSl8XQr0w=
=qQH/
-----END PGP SIGNATURE-----